This document provides a configuration example for a guest wireless LAN
(WLAN) and a secure internal WLAN that use WLAN controllers (WLCs) and
lightweight access points (LAPs). In the configuration in this document, the
guest WLAN uses web authentication to authenticate users and the secure
internal WLAN uses Extensible Authentication Protocol (EAP)
authentication.

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

The configuration example in this document uses the setup displayed in
this diagram. The LAP is registered to the WLC. The WLC is connected to the
Layer 2 switch. The router that connects the users to the WAN also connects to
the Layer 2 switch. You need to create two WLANs, one for the guest users and
the other for the internal LAN users. You also need a DHCP server to provide IP
addresses for the guest and internal wireless clients. The guest users use web
authentication in order to access the network. The internal users use EAP
authentication. The 2811 router also acts as the DHCP server for the wireless
clients.

When configured as a DHCP server, some of the firewalls do not support
DHCP requests from a relay agent. The WLC is a relay agent for the client. The
firewall configured as a DHCP server ignores these requests. Clients must be
directly connected to the firewall and cannot send requests through another
relay agent or router. The firewall can work as a simple DHCP server for
internal hosts that are directly connected to it. This allows the firewall to
maintain its table based on the MAC addresses that are directly connected and
that it can see. This is why an attempt to assign addresses from a DHCP relay
are not available and the packets are discarded. PIX Firewall has this
limitation.

The Interfaces window appears. This window lists the interfaces
that are configured on the controller. This includes the default interfaces,
which are the management interface, ap-manager interface, the virtual interface
and the service port interface, and the user defined dynamic
interfaces.

Click New in order to create a new dynamic
interface.

In the Interfaces > New window, enter the Interface Name and the
VLAN Id. Then, click Apply.

In this example, the dynamic interface is named Guest-WLAN and the
VLAN Id is assigned 10.

In the Interfaces > Edit window, for the dynamic interface,
enter the IP address, the subnet mask, and the default gateway. Assign it to a
physical port on the WLC, and enter the IP address of the DHCP server. Then,
click Apply.

This is the example:

The same procedure must be completed in order to create a dynamic
interface for the Internal WLAN.

In the Interfaces > New window, enter
Internal-WLAN for the dynamic interface for the internal
users, and enter 20 for the VLAN Id. Then, click
Apply.

In the Interfaces > Edit window, for the dynamic interface,
enter the IP address, the subnet mask, and the default gateway. Assign it to a
physical port on the WLC, and enter the IP address of the DHCP server. Then,
click Apply.

Now that two dynamic interfaces are created, the Interfaces window
summarizes the list of interfaces configured on the
controller.

The next step is to create WLANs for the guest users and the internal
users, and map the dynamic interface to the WLANs. Also, the security methods
that are used to authenticate the guest and wireless users must be defined.
Complete these steps:

Click WLANs from the controller GUI in order to
create a WLAN.

The WLANs window appears. This window lists the WLANs configured on
the controller.

Click New in order to configure a new
WLAN.

In this example, the WLAN is named Guest and
the WLAN ID is 2.

Click Apply in top right
corner.

The WLAN > Edit screen appears, which contains various
tabs.

Under the General tab for the guest WLAN, choose
guest-wlan from the Interface Name field. This maps the
dynamic interface guest-wlan that was previously created to
the WLAN Guest.

Make sure that the Status of the WLAN is enabled.

Click the Security tab. For this WLAN, Web
Authentication a Layer 3 security mechanism is used to authenticate clients.
Therefore, choose None under the Layer 2
Security field. In the Layer 3 Security field, check the
Web Policy box and choose the Authentication
option.

You need to configure the switch port to support the multiple VLANs
configured on the WLC because the WLC is connected to a Layer 2 switch. You
must configure the switch port as an 802.1Q trunk port.

Each controller port connection is an 802.1Q trunk and should be
configured as this on the neighbor switch. On Cisco switches, the native VLAN
of an 802.1Q trunk, for example VLAN 1, is left untagged.
Therefore, if you configure a controller's interface to use the native VLAN on
a neighbor Cisco switch, make sure you configure the interface on the
controller as untagged.

A zero value for the VLAN identifier (on the
Controller > Interfaces window) means that the interface is untagged. In the
example in this document, the AP-Manager and Management Interfaces are
configured in the default untagged VLAN.

When a controller interface is set to a non-zero value, it should not
be tagged to the native VLAN of the switch and the VLAN must be allowed on the
switch. In this example, VLAN 60 is configured as the native VLAN on the switch
port that connects to the controller.

This is the configuration for the switch port that connects to the
WLC:

In the example in this document, the 2811 router connects the guest
users to the Internet and also connects the internal wired users to the
internal wireless users. You also need to configure the router to provide DHCP
services.

On the router, create sub-interfaces under the FastEthernet interface
which connects to the trunk port on the switch for every VLAN. Assign the
sub-interfaces to the corresponding VLANs, and configure an IP address from the
respective subnets.

Note: Only relevant portions of the router configuration are given, and not
the complete configuration.

This is the configuration required on the router to accomplish
this.

These are the commands that must be issued in order to configure DHCP
services on the router:

Connect two wireless clients, one guest user (with service set
identifier [SSID] Guest) and one internal user (with SSID
Internal), in order to verify the configuration works as
expected.

Remember that the guest WLAN was configured for Web Authentication.
When the guest wireless client comes up, enter any URL on the web browser. The
default web authentication page pops up and prompts you to enter the username
and password. Once the guest user enters a valid username/password, the WLC
authenticates the guest user and allows access to the network (possibly the
Internet). This example shows the web authentication window that the user
receives and the output on a successful authentication:

One of the frequent issues that occurs with web authentication is when
the redirect to the web authentication page does not work. The user does not
see the web authentication window when the browser is opened. Instead, the user
must manually enter https://1.1.1.1/login.html in order to get
to the web authentication window. This has to do with the DNS lookup, which
needs to work before the redirect to the web authentication page occurs. If the
browser homepage on the wireless client points to a domain name, you need to
perform nslookup successfully once the client associates in order for the
redirect to work.

Also, for a WLC that runs a version earlier than 3.2.150.10, the way
that web authentication works is when a user in that SSID attempts to access
the Internet, the management interface of the controller does a DNS query to
see if the URL is valid. If it is valid, the URL shows the authorization page
with the Virtual Interfaces IP address. After the user successfully logs in,
the original request is allowed to pass back to the client. This is because of
Cisco bug ID
CSCsc68105
(registered customers only)
. For more information, refer to
Troubleshooting
Web Authentication on a Wireless LAN Controller (WLC).